If you are building AI agents with frameworks like browser-use, LangChain, or OpenClaw, you've likely hit the "blast radius" problem.
A misconfigured prompt or hallucination can cause an agent to navigate to a phishing domain, expose an API key, or confidently claim a task succeeded when it actually clicked a disabled button.
The standard fix right now is "LLM-as-a-judge"—taking a screenshot after the fact and asking GPT-4, "Did this work and is it safe?" That introduces massive latency, burns tokens, and is fundamentally probabilistic.
We built predicate-secure to fix this.
It’s a drop-in Python wrapper that adds a deterministic physics engine to your agent's execution loop.
In 3 to 5 lines of code, without rewriting your agent, it enforces a complete three-phase loop:
Pre-execution authorization:
Before the agent's action hits the OS or browser, it is intercepted and evaluated against a local, fail-closed YAML policy. (e.g., Allow browser.click on button#checkout, Deny fs.read on ~/.ssh/*).
Action execution:
The agent executes the raw Playwright/framework action.
Post-execution verification:
It mathematically diffs the "Before" and "After" states (DOM or system) to prove the action succeeded.
To avoid the "LLM-as-a-judge" trap, the execution of the verification is purely mathematical. We use a local, offline LLM (Qwen 2.5 7B Instruct) strictly to generate the verification predicates based on the state changes (e.g., asserting url_contains('example.com') or element_exists('#success')), and then the runtime evaluates those predicates deterministically in milliseconds.
The DX looks like this:
from predicate_secure import SecureAgent from browser_use import Agent
1. Your existing unverified agent
agent = Agent(task="Buy headphones on Amazon", llm=my_model)
3. Runs with full Pre- & Post-Execution Verification
secure_agent.run()
We have out-of-the-box adapters for browser-use, LangChain, PydanticAI, OpenClaw, and raw Playwright.
Because we know developers hate giving external SaaS tools access to their agent's context, the entire demo and verification loop runs 100% offline on your local machine (tested on Apple Silicon MPS and CUDA).
For enterprise/production fleets, the pre-execution gate can optionally be offloaded to our open-source Rust sidecar (predicate-authorityd) for <1ms policy evaluations.
The repo is open-source (MIT/Apache 2.0). We put together a complete, offline demo showing the wrapper blocking unauthorized navigation and verifying clicks locally using the Qwen 7B model.
I'd love to hear what the community thinks about deterministic verification vs. probabilistic LLM judges, or answer any questions about the architecture!
A misconfigured prompt or hallucination can cause an agent to navigate to a phishing domain, expose an API key, or confidently claim a task succeeded when it actually clicked a disabled button.
The standard fix right now is "LLM-as-a-judge"—taking a screenshot after the fact and asking GPT-4, "Did this work and is it safe?" That introduces massive latency, burns tokens, and is fundamentally probabilistic.
We built predicate-secure to fix this.
It’s a drop-in Python wrapper that adds a deterministic physics engine to your agent's execution loop.
In 3 to 5 lines of code, without rewriting your agent, it enforces a complete three-phase loop:
Pre-execution authorization:
Before the agent's action hits the OS or browser, it is intercepted and evaluated against a local, fail-closed YAML policy. (e.g., Allow browser.click on button#checkout, Deny fs.read on ~/.ssh/*).
Action execution:
The agent executes the raw Playwright/framework action.
Post-execution verification:
It mathematically diffs the "Before" and "After" states (DOM or system) to prove the action succeeded.
To avoid the "LLM-as-a-judge" trap, the execution of the verification is purely mathematical. We use a local, offline LLM (Qwen 2.5 7B Instruct) strictly to generate the verification predicates based on the state changes (e.g., asserting url_contains('example.com') or element_exists('#success')), and then the runtime evaluates those predicates deterministically in milliseconds.
The DX looks like this:
from predicate_secure import SecureAgent from browser_use import Agent
1. Your existing unverified agent
agent = Agent(task="Buy headphones on Amazon", llm=my_model)
2. Drop-in the Predicate wrapper
secure_agent = SecureAgent( agent=agent, policy="policies/shopping.yaml", mode="strict" )
3. Runs with full Pre- & Post-Execution Verification
secure_agent.run()
We have out-of-the-box adapters for browser-use, LangChain, PydanticAI, OpenClaw, and raw Playwright.
Because we know developers hate giving external SaaS tools access to their agent's context, the entire demo and verification loop runs 100% offline on your local machine (tested on Apple Silicon MPS and CUDA).
For enterprise/production fleets, the pre-execution gate can optionally be offloaded to our open-source Rust sidecar (predicate-authorityd) for <1ms policy evaluations.
The repo is open-source (MIT/Apache 2.0). We put together a complete, offline demo showing the wrapper blocking unauthorized navigation and verifying clicks locally using the Qwen 7B model.
Repo and Demo: https://github.com/PredicateSystems/predicate-secure
Another demo for securing your OpenClaw:
https://github.com/PredicateSystems/predicate-claw
Demo (GIF):
https://github.com/PredicateSystems/predicate-claw/blob/main...
I'd love to hear what the community thinks about deterministic verification vs. probabilistic LLM judges, or answer any questions about the architecture!